Risk Based Thinking in ISO 9001:2015

Reporting, best practices, non-compliance reporting, analysis


In 0.3.3 clause of the standard – it is said that “A positive deviation of the risk can provide an opportunity, but not all positive effects of risk result in opportunities.”  Can you please clarify this statement?


Thanks for contacting ASQ’s Ask the Experts program.  Good question! As mentioned, ISO FDIS 9001:2015, Clause 0.3.3, which states, “A positive deviation of the risk can provide an opportunity, but not all positive effects of risk result in opportunities”.

In my opinion, this highlights an important point.  That is, not every positive deviation or change of a risk will include opportunity.  Consider the recent changes that have occurred in the Oil and Gas industry.  When the demand for crude oil was high, the availability of various materials and services providers was low, and prices were high.  This situation (availability of materials, services providers and costs) may have been identified as a supply chain risk.

However, the oversupply of crude oil drove prices down.  Crude oil production has dropped to stabilize pricing at the pumps.  This positive deviation of risk has provided an opportunity to crude oil producers, which includes the improved availability of materials, greater selection of services providers as well as more competitive pricing.  So dependent upon where you sit, this deviation of risk may be considered a negative that has decreased product demand and lowered pricing or a positive that has lowered consumer pricing and increased availability.

Consider companies that are providers of upstream services to crude oil producers.  Their risk based thinking may have identified the supply of qualified personnel to perform upstream servicing as a risk.  The decrease in demand for upstream services has increased the pool of qualified personnel.  However, this positive deviation of risk does not represent an opportunity.  The scenarios mentioned above are basic and intended to highlight the point of ISO FDIS 9001:2015, Clause 0.3.3.  There are far more dynamics that should be considered when assessing the deviation of risk versus opportunity.

I hope this helps.

Best regards,


Bill Aston, Managing Director
Aston Technical Consulting Services, LLC
Kingwood, TX 77339
Office: (281) 359-ATCS (2827) or Toll Free: (888) 968-9891
Website: www.astontechconsult.com

For more on this topic, please visit ASQ’s website.

TS 16949, ISO 9001

Automotive inspection, TS 16949, IATF 16949


Our company designs and manufactures commercial and automotive semiconductor products. We used to maintain dual certification (ISO 9001 and TS 16949) for all of our manufacturing and assembly locations, but recently dropped the ISO9001 certification.  My questions are as follows:

1) If we manufacture automotive and non automotive products in the same location “site”, without dedicated separation, does the TS certification eligibility apply to the entire site?

2) Can we include the non automotive design RSLs in the TS 16949 certificate scope, or would we need a separate ISO 9001 certificate to cover those activities?


Thank you for your question.   Yes, TS 16949 requirements would apply to all of your “automotive” processes whether they produce/support only automotive products or not.   This is actually the way you’d want to do it:  it would be more complicated to try to have two systems for automotive and non-automotive products.    If you have only one certification, the scope of your audits would have to be your whole product line, and not just your automotive products.

The answer to your second question is again related to the scope of your registration.   If you are not design-responsible for the automotive side of your business there is a risk that your TS 16949 audits (internal and external) do not include your design function.    If you want your design activity in scope, work with your registrar to roll it into your scope of registration.  Understand that if you do it that way, your non-automotive design would be subject to all of the additional 7.3 controls listed in TS 16949.  Although you should be able to cover it under one registration, It will be up to them if they want you to split it out into a separate ISO 9001 registration.  The impact of that difference should be minimal.

Please let us know if you have any follow-up questions related to this answer.


Denis J. Devos, P.Eng
A Fellow of the American Society for Quality
Devos Associates Inc.
(519) 476-8951

For more on this topic, please visit ASQ’s website.

Postponement of Surveillance Audit Due to Force Majeure Event

Force majeure


If a Force Majeure event effects the company during the time that the annual Surveillance Audit was to be done, can the Surveillance Audit be postponed until after the conclusion of the Force Majeure period without losing ISO 9001 certification?  Will the impact be 1.) Merely a certificate lapse rectified with passing the re-scheduled Surveillance Audit loss, 2.) Loss of certification requiring the next audit to be a Certification Audit instead of a Surveillance Audit, or 3.) Is it up to the Registrar? In this case, assume the Surveillance schedule delay is only 3 months or less, and the company has an excellent ISO audit track record. Thank you.


Thanks for Contacting ASQ’s Ask the Experts program.  With regard to the frequency of surveillance audits as well as deferral of an audit as a result of force majeure, it’s important know that all reputable Registrars or certification bodies (CBs) are accredited by an accreditation body (AB) as such ANAB.  This is intended to ensure a consistent approach for issuance of certifications by CBs.  To maintain certification the CB may conduct periodic surveillance audits.  Registered or certified organizations must be re-certified every 3 years or prior to the expiration date listed on their certification certificate.

Surveillance audits are conducted by the Registrar to verify the organization’s continued implementation as well as the improvement of the effectiveness of their QMS.  Registrars may increase or decrease the frequency of surveillance audits based upon the maturity level of the organization’s QMS.  For this reason, the frequencies that surveillance audits are conducted may vary, but are usually scheduled annually or every 12 months.  Other situations that may affect actual frequency of surveillance audits may be the availability of Auditors or possibly, unusual situations being experienced by the Auditee or organization.

As already mentioned, re-certification audits are required to be conducted every 3 years.  A Registrar typically does not have the authority to extend any organization’s ISO 9001 certification beyond the expiration date as shown on the certification certificate.  I would suggest that the certification contract agreement between your organization and the Registrar be reviewed to determine how conditions of force majeure are to be addressed.  This review should be followed up with a discussion with the Registrar to ensure there will be no impact on your organization’s existing QMS certification.  For more information about surveillance audits and other information regarding certification bodies (CBs) review IAF guidance document “Application of ISO/IEC Guide 65:1996, Issue 3 (IAF GD 2006).  A copy of this document can be downloaded at www.iaf.nu.

I hope this helps.

Bill Aston, Managing Director
Aston Technical Consulting Services, LLC
Kingwood, TX  77339

For more on this topic, please visit ASQ’s website.

ISO 9001:2008 Quality Manager Titles

Workplace safety, OHSAS 18001, work environments


Is it a requirement that a person in an ISO 9001 registered organization who is responsible for fulfilling the duties and requirements of the management representative hold the title of Management Representative, i.e., is it a noncompliance that such person holds a different title, e.g., specifically, Quality Representative?


I have seen this question come up at other times.  Basically, I refer to how we need to understand the word “shall”.  “Shall”, when used in the ISO standards,  indicates a requirement.

Therefore, when clause 5.5.2 in ISO 9001:2008 says, “Top management shall appoint a member of the organization’s management . . . .”, then it is a requirement. There are good reasons for this. For one, the Management Representative must have the authority to perform those duties necessary for the successful implementation and continuation of a quality management system. Generally, a person in management knows the company’s business and has a working relationship with all the departments.
It is sometimes a practice to give a person a management title but limit their authority to that which is related to the QMS.

I hope this is helpful to you and thank you for sending your question.

Bud Salsbury
ASQ Senior Member, CQT, CQI

Follow Up Question:


I appreciate and fully understand your answer, however, I probably did not pose my question adequately. The responsibilities of the MR is clearly assigned to a member of management, and, in fact is the QM, but does not use the title “Management Representative”, but instead uses “Quality Representative”.  So, in affect, there is no “MR” in the company.  Is this an issue?



If you wanted to add verbiage to your Quality Manual or one of your documented procedures (i.e. Management Responsibility) which clarifies this you could. However, you do not have to.

The standard says your MR shall be a member of management. The standard does not direct you to make this an official “title”.  It just needs to be clear that someone from management fulfills all the responsibilities of the MR. Those responsibilities can be in addition to that individual’s primary function.

It sounds like you are doing OK.

Bud Salsbury
ASQ Senior Member, CQT, CQI

For more on this topic, please visit ASQ’s website.

Best Practices for Non-Compliance Reporting in ISO 9001

Reporting, best practices, non-compliance reporting

I have just assumed the role of Quality Assurance Manager for a worldwide manufacturer and installer of transportation systems.  As part of learning my new responsibilities and getting familiar the existing Quality Management System (we are currently ISO 9001:2008 certified), I have  encountered some things that I think may need to be changed.  Any opinions and/or advice would be greatly appreciated.

Here’s the issue; our current system for generating and tracking Non-Compliance Reports (NCRs) seems flawed.  The way it is set up, all NCRs that are generated include a check box to show any Corrective Actions or Preventative Actions.  If these boxes should be checked, the report is now called a NCR/CAR/PAR, all on the same form. The creator can then enter any actions taken.  There is also a section to enter the “solution” for the non-compliance.  The way this system works, it is not possible to create just a Corrective Action or Preventative Action Report (CAPA); they are shown as results, or solutions, to the NCR. Is this a good practice?

Are there better ways to utilize this process?  In going through the report from last year’s third party ISO audit, it was mentioned that we needed to improve on this process, and that the NCR/CAR/PAR should be tracked separately.  Any suggestions?

Generally, it is a good idea to use the same process for internal corrective action, a supplier corrective action, or a preventative action activity.  This will ensure that all required steps will be followed. As a Senior Quality Director for a company, we had our computer system log each type  separately as we set different deadlines for our corrective actions and preventatives.

The issue may be resolved by having the reporting system separate each type with aging timeless. I believe  each type needs to be tracked and reported monthly as well at Management Review meetings.

Ron Berglund
ASQ Fellow

For more on this topic, please visit ASQ’s website.

ISO 9001 Management Checklist

About ASQ's Ask the Standards Expert program and blog


Is there a list of duties for implementing ISO 9001:2008 for the management representative? I am interested in a checklist of responsibilities for that individual to use as a guide to help a company prepare for an ISO 9001:08 external audit leading to certification.


Thank you for your question.

In answer to your question, I must mention section 5.5.2 of the ISO 9001:2008 Standard. Here is the first place you will see a list of duties and responsibilities for the Management Representative (MR). While the points noted in 5.5.2 a, b, and c cover a lot of areas, I think you are looking for an expanded list and one with more specifics.

One important beginning step is a Gap Analysis. This will help your organization and your MR to see where you are at and where you need to go. From the results of your Gap Analysis, your MR and the Planning Team (if you have one) can generate a Gantt Chart. This will be a good guide to help everyone involved recognize where your company is during the implementation process.

The management representative (MR) has the responsibility of getting the quality management system (QMS) put in place. He/she must also keep the QMS effective and up to date. Your MR must report the current status of your QMS to top management.

The MR must also be well aware of management concerns and be capable of representing the company. I remember reading somewhere that a good MR is;

  1. A member of management (not necessarily a QC Manager).
  2. Willing to learn.
  3. Willing to teach.

All three of these items require capability. Capability to manage, learn, and teach.

As a final point on this question; I would advise that you acquire a book or more than one which can be used as a guide. ASQ has numerous publications which would help you to generate a list of your MR’s duties. The list can be long or short, depending on your company. It is always necessary for a management representative to be good at communicating, learning, researching, training, standing firm when necessary, and recognizing the importance of team work.

Bud Salsbury, CQT, CQI

Some additional resources available through ASQ:

ISO 9001:2008 Explained and Expanded
Optimizing your QMS Success
Charles A. Cianfrani and John E. “Jack” West
Print Book: http://asq.org/quality-press/display-item/?item=H1446

A Practical Field Guide for ISO 9001:2008
Erik Valdemar Myhrberg
Print Book: http://asq.org/quality-press/display-item/?item=H1369

ISO Lesson Guide 2008
Pocket Guide to ISO 9001:2008, Third Edition
J.P. Russell and Dennis Arter
Print Book: http://asq.org/quality-press/display-item/?item=H1344

ASQ Gantt Chart: http://asq.org/learn-about-quality/project-planning-tools/overview/gantt-chart.html

TS 16949 Conformance for a Non Value Add Company

Automotive inspection, TS 16949, IATF 16949

We’re a fabless semiconductor company, Tier 2, who is in the process of designing and developing an automotive product to deliver through our TS 16949 certified subcontractor, Tier 3, to an auto supplier Tier 1, for an OEM.

We know and understand that we cannot get TS 16949 certified, but we are still working at bringing up our ISO 9001 processes certified for 14 years to withstand a TS 16949 audit.
As we do our internal process audits in preparation for our ISO 9001/14001 Surveillance audit in June/13 we’re looking for TS gaps which we’ll document and work to close.
We’re looking for a registrar who would audit us to TS 16949 and give us a report that basically states that, assuming we do, have withstood the audit and that if we were an Mfg’r qualified to be TS 16949 certified company that we would pass a TS 16949 audit.
Are you aware of any other companies who have done this or of any registrars who provide this type of service?

We’re either setting precedence for other fabless semiconductor companies designing to deliver for auto, or it’s already been done.  If it has, then what is this type audit of called and do you know anyone who has done it?

Thanks for any input you may provide.

Thank you for your question. There are two issues here. Firstly, contact your existing registrar with this question and see if they can comply with your request.

Secondly, this is about your obligation to provide a proper PPAP submission for these parts, whether they are manufactured by you or by a supplier. If you are the supplier for these parts, there are likely terms and conditions in your Purchase Order that require you to submit a level 3 PPAP. If these requirements are present, they are auditable as a customer-specific requirement whether you are registered to TS 16949 or not.

I hope this answers your question.

Denis J. Devos, P. Engineer
A Fellow of the American Society for Quality
Devos Associates Inc.
Advisors to the Automotive Industry

For more on this topic, please visit ASQ’s website.

ISO/TS Standards Exclusions

Checklist, Conformity, Go/No Go


I have a question regarding exclusions from the ISO/TS standards.

The majority of our business is the design and manufacture of enclosure hardware. Recently though, a small portion of our business has become the sole North American Distributor for an Italian company. Their product lines are similar to ours. However, we procure their products and simply resell/distribute to their customers stateside, to Canada and Mexico. We do not have Design or Process Control for these items; they are pass-through product.

Therefore, my question is related to permissible exclusions from the ISO standard. Should we seek exclusions regarding certain clauses of Clause 7 of the standard, for this certain “supplier”, and/or for certain product groups that are sold on their behalf?

Any assistance you could provide would be helpful.



At first, your question seemed relatively uncomplicated and I am inclined to say that you can simply sell or provide the products in question with a disclaimer or something identifying the fact that your company is not the designer/manufacturer of the product. My company occasionally has purchased parts inserted into or added to the products made (like bushings or threaded inserts, etc). We don’t have to add anything to our QMS for those as long as those items meet regulatory and statutory requirements.

However, I should mention, the standards make it clear that exclusions are permissible if “such exclusions do not affect the organization’s ability or responsibility to consistently provide product that meets customer and applicable statutory and regulatory requirements.”

Therefore, stepping away from the initial ‘simple’ answer, I would say that such exclusions would not be permissible. This is due to the fact that your organization is ultimately responsible for meeting customer requirements. Although you do not design or manufacture that specific product, you provide, and are responsible for what the customer requests.

You are also responsible for seeing to it that the OEM is meeting customer as well as any statutory or regulatory requirements. This would be of particular importance if these are electrical enclosures or intended for hazardous services, such as NEMA 7 (explosion proof enclosures).

Since you already design and manufacture your own products and have the Clause 7 included in your QMS, it would be counterproductive to add more documentation to exclude what you have mentioned. It would be wise to notify customers up-front, in the sales/purchase order process, that the product you are distributing is from a separate company.

Thanks much for this good question.

Bud Salsbury
ASQ Senior Member, CQT, CQI

For more on this topic, please visit ASQ’s website.

Measurement System Analysis

ISO/IEC 17025:2017 General requirements for the competence of testing and calibration laboratories


Is there ever an exception to the rule about needing full Measurement System Analysis for any instrument placed in the Evaluation / Measurement Technique column on the Control Plan?  If an instrument is listed on the control plan, does it HAVE to have GRRs done, in addition to having to prove stability?  Please base off of ISO 9001 and TS 16949 requirements, and if there is a difference between them for this requirement.   


Thank you for this interesting question. Clause 7.6 of ISO 9001: 2008 makes most of this fairly clear. Any monitoring and measuring equipment used to verify conformity of product must “be calibrated or verified, or both, at specified intervals, or prior to use. . .” Notice I made ‘at specified intervals’ bold. This is just to bring to light the importance of calibration cycles. You/your organization can determine what those cycles will be based on the stability of the measuring tool, frequency of use, working conditions, etc. For example, if you were using a micrometer to check close tolerance parts and, you found it a good process to measure the parts frequently, this would be a contributing factor to the decision process. Then, if the working conditions included a lot of cutting fluids or perhaps a good deal of metal dust, another factor is added to the decision process. What I am driving at is this; once you have determined that the product conformity which you are checking is good and/or consistent and that your sample frequency is satisfactory, you would have no definite requirement for GRR’s on the measuring equipment. The calibrations and or verifications you do must be with equipment which is traceable to international or national measurement standards. If you use working standards as gages to check measuring equipment throughout production and those standards are traceable, then you are doing fine. The processes you use to verify the tools and any in-process measuring practices should be documented in Work Instructions or even with the use of photographs or flow charts.

In the second part of your question, you ask if there is a difference between 9001 and TS 16949. I reference section 7.6.1 of TS 16949. Here it is put straight forward:

7.6.1  Measurement System Analysis 

Conduct statistical studies to analyze variation present in the results of each type of MMD that is referenced in the Control Plan.

Use analytical methods & acceptance criteria that: 

Conform to methods and criteria in customer reference (MSA) manuals Or use other methods, if approved by the customer 

This is an automotive sector specific QMS standard. Herein it is necessary to consider safety and liability in everything you do. So, Gage R&R’s are a common practice. Nonetheless, the necessity for these is dictated by individual processes. Some may need them, some may not.

So, if an instrument is listed on YOUR control plan, GRR’s will become a requirement based on all the criteria I’ve noted above. A gage which has proven stability is most often safe from that requirement under 9001 but TS16949 has more extensive requirements.

Bud Salsbury, CQT, CQI

For more about this topic, please visit ASQ’s website.

Use of Correction Fluid to Modify ISO 9001 QMS Documents

ISO documentation practices, requirements

Q: During a recent audit, I discovered that my supplier was using correction fluid and scrubbing out the training records of its employees with no control over the documents. I said that would be a major finding, but they state that there is nothing in ISO/ANSI/ASQ 9001:2008 Quality management systems–Requirements specifically telling them that they can’t correct records on the fly without any control.  Can you clarify this practice for me? I can’t find anything definitive in the standard.

A: This is an interesting question. Sometimes, people complicate standards rather than recognize them for the friendly guides they can be. It is true, as written in clause 6.2.2 of ISO 9001:2008,  that records for education, training, skills and experience need to be maintained per clause 4.2.2. However, the standard does not designate a specific process for this.

Clause 4.2.4 expresses a requirement to establish a documented procedure, and also states that the records should be legible. While the practice of using correction fluid or scrubbing out training records is probably not the best and most professional way of handling things, it’s not a cause for a finding of nonconformance.

Records which have a direct affect on customer products would definitely need better controls. However, I think in this case, you might find it wise to work with the supplier to find a better way of recording employee training. The records must remain legible, readily identifiable and retrievable. If that is what they are doing and product quality is not affected, there should be no major finding. A recommendation for continual improvement would be appropriate.

I hope this helps.

Bud Salsbury
ASQ Senior Member, CQT, CQI